NSA Caught Siphoning Data from Google, Yahoo Servers

There is "no way" the NSA's newly revealed surveillance activities could have been legal, asserted Fred Cate, director of the Center for Applied Cybersecurity Research at Indiana University. "There is obviously a big security issue here," Cate explained. "It puts us in an almost surreal position, especially as there is no way that the NSA could truly differentiate between U.S. citizens and non-U.S. citizens."

The National Security Agency has tapped fiber-optic cables that connect Google's and Yahoo's overseas servers and accessed vast amounts of data including email and other personal information, according to a Wednesday report in The Washington Post.

Included in the data culled by the NSA is information on hundreds of millions of users, many of whom are American, the Post reported, citing documents obtained by NSA contractor Edward Snowden along with interviews with other officials.

The NSA's acquisition directorate reportedly sent millions of records daily from internal Yahoo and Google networks to a data warehouse at the agency's Fort Meade, Md., headquarters.

'Not True'

The NSA balked at the idea that it was looking into the personal information of American citizens.

"NSA has multiple authorities that it uses to accomplish its mission, which is centered on defending the nation," NSA spokesperson Vanee Vines told TechNewsWorld. "The Washington Post's assertion that we use Executive Order 12333 collection to get around the limitations imposed by the Foreign Intelligence Surveillance Act and FAA 702 is not true.

"The assertion that we collect vast quantities of U.S. persons' data from this type of collection is also not true," Vines added. "NSA applies Attorney General-approved processes to protect the privacy of U.S. persons, minimizing the likelihood of their information in our targeting, collection, processing, exploitation, retention and dissemination."

'We Are Outraged'

Both Google and Yahoo stressed that they did not participate in the NSA's data collection.

"We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryption across more and more Google services and links," said David Drummond, Google's chief legal officer. "We do not provide any government, including the U.S. government, with access to our systems.

"We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks," Drummond added. "It underscores the need for urgent reform."

Similarly, "we have strict controls in place to protect the security of our data centers," Yahoo spokesperson Lauren Armstrong told TechNewsWorld. "We have not given access to our data centers to the NSA or to any other government agency."

'A Gross Violation'

It's unclear exactly how the NSA achieved this tap, but the Post report suggests that "anything flowing between Google's data servers would be vulnerable, which means both metadata and content of millions of emails, among other things," Trevor Timm, an activist with the Electronic Frontier Foundation, pointed out.

Was the surveillance legal?

"The U.S. government thinks it is," Timm told TechNewsWorld. "We think it's a gross violation of the privacy rights of Americans and those abroad.

"Congress will act to make sure this will never happen again, and tech companies will implement changes to make sure the NSA can't do it again even if they tried," he added.

"There is obviously a big security issue here," Cate explained. "It puts us in an almost surreal position, especially as there is no way that the NSA could truly differentiate between U.S. citizens and non-U.S. citizens, as they claim."

A Fine Line

Of course, these revelations are just the latest in what's becoming a long stream of leaks about government surveillance.

"The truth is, even with all the public leaks and media reporting to date, presumably there's still much we neither know nor have the ability to accurately/fairly understand in full context," Jeffrey Silva, senior policy director for telecommunications, media and technology at Medley Global Advisors, told TechNewsWorld.

"Questions about the legality and appropriateness of certain government surveillance -- especially in the post-9/11 world -- are apt to persist on an ongoing basis with every new revelation," Silva added.

"The government may need to make a stronger case, and repeat it often, that expanded surveillance is a price that must be paid in the post-9/11era if U.S. citizens want to be safe," he concluded. "At the same, there's the question of whether current level of government surveillance, that even if legal, amounts to overkill and an unnecessary intrusion on American privacy."

A Chill Down the Spine

In the bigger picture, the revelations are "like layers of an onion," suggested Tim Erlin, director of IT risk and security strategy at Tripwire. "This period of information security history will do more to spur a renewed interest in verifiable security, including end-to-end encryption and distributed systems for validation, than anything we've seen in a long time."

The fact is, however, "we've tacitly agreed to allow our personal data be aggregated in large organizations like Google, Yahoo and Facebook," Erlin told TechNewsWorld. "These companies have so much intelligence that they have become too attractive as intelligence targets."

Indeed, "the companies involved should be the ones with most concerns," said Cate. "This is not good for their business."

Moreover, "when you look at it with the tapestry of all the programs that we've seen come to light," he added, "that is when the cold chill goes down your spine."